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Timeline of ancient history 


e First attacks: 1999-2000 


e 2005: STRIDE model by Microsoft 
e Spoofing Identity 
e Tampering with Data 
e Repudiation 
e Information Disclosure 
e Denial of Service 
* Elevation of Privileges 
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ID?]DoS 


The difference between “a distributed attack” and an, 
err, not distributed one is vague. 


Traditional meaning: a distributed attack comes from multiple sources. 
e What is a source? Is it an IP address or a machine? 


e |f itis a machine, does a virtual instance count? 
Or a few instances under the same physical hypervisor? 
What if they often migrate between physical machines? 
If Im a victim, how do | tell a single-sourced from a multiple-sourced? 


e |f itis an IP, then how do we treat spoofed traffic? 
Cb on s 


ID?]DoS 


Hence, a different sort of thinking applies: 


* DoS (as implied in STRIDE): a vulnerability in a software 
(e.g. NULL pointer dereference, like Ping of Death) 


e DDoS: computational resource exhaustion 
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Risk management 


The basic idea behind STRIDE and other approaches is 
risk assessment, modelling and management. 
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Probability/Impact Matrix 


Trivial Minor Moderate Significant Severe 


Rare 
Unlikely 
Moderate 


Likely 


Very Likely 


Probability/Impact Matrix 


Trivial Minor Moderate Significant Severe DDoS attack, 
Rare 201 8 
Unlikely | | 
e Impact: 
Moderate AA Seve re 
Likely 
hie * Probability: 


? 


Motivation of an attacker 


e Fun! 

e Blackmail 

e Self-promotion 

* Political statement 
e Revenge 

* Market competition 


* Diverting attention 
(e.g. in case of theft) 


* Preventing access to a 
compromising information 
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Motivation of an attacker 


e Fun! 

e Blackmail 

e Self-promotion 

* Political statement 
e Revenge 


* Market competition | 
- Diverting attention More or less predictable! 


(e.g. in case of theft) 


* Preventing access to a 
compromising information 
Cb on s 


Rather hard to evaluate and control 


Contents [hide] 
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2.6 Application-level floods 
2.7 Nuke 
2.8 HTTP POST DDOS attack 
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2.16 DDoS Extortion 
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Network resource exhaustion 


e A computer network, as of today*, consists of layers 


« A network resource is not available to its users 
when at least one network layer fails to provide service 


* Hence, a DDoS attack can be attributed to a network layer 
which it affects 
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DDoS Classification 
According to the ISO/OSI model: 


generic bandwidth exhaustion 
exploitation of TCP/TLS edge cases 


application-specific bottlenecks 


Attack examples 
: 12-3 


e Volumetric attacks: UDP flood, 
SYN flood, amplification... 
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Typical amplification attack 


e Most servers on the 


Internet send more : » M ) — 

data toa clientthan i |Attacker 
they receive 2 

e UDP-based servers  : 


generally do not = Src: victim (spoofed) a 
verify the source = Dst: amplifier Src: amplifier 
IP add À Dst: victim 

a [OSS : “ANY? com.” 


* This allows for "com. NS i.gtld-...” 
amplification DDoS : + “PS 
29 Gbps 


Vulnerable protocols 


e A long list actually 


e Mostly obsolete 
protocols 
(RIPv1 anyone?) 


* Modern protocols 
as well: gaming 


NIP 
DNS 
SNMP 
SSDP 


e ICMP 


NetBIOS 


RIPv1 
PORTMAP 
CHARGEN 
Quake 
Steam 
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Vulnerable servers 


* As it's mostly 
obsolete servers, 
they eventually 
get updated 

* or replaced 
* or just trashed 


e Thus, 
the amount of 
amplifiers shows 
Steady downtrend 
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Source: Qrator.Radar network scanner 


Mitigation 


e Most amplification 
attacks are easy to 


track, as the source : 


UDP port is fixed 


NIP 
DNS 
SNMP 
SSDP 
ICMP 
NetBIOS 


RIPv1 
PORTMAP 
CHARGEN 
QOTD 
Quake 
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Mitigation 


e Most amplification e NIP e RIPVI 


attacks are easy to 


AA | e DNS s PORIMAP 
UDP port is fixed : © SNMP * CHARGEN 


e Two major issues: 


IOMP | e SSDP * QOTD 
Rian : e ICMP A Ouake 
(Bittorrent? | * NetBIOS + .. 
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memcached 


* A fast in-memory cache 
e Heavily used in Web development 
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memcached 


* A fast in-memory cache 
* Heavily used in Web development 


e Listens on all interfaces, port 11211, by default 
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memcached 


e Basic ASCII protocol doesnt do authentication 


e 2014, Blackhat USA: 
An attacker can inject arbitrary data into memory” 
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memcached 


e Basic ASCII protocol doesnt do authentication 


e 2014, Blackhat USA: 
An attacker can inject arbitrary data into memory” 


* 2017, Power of Community: 


"An attacker can send data from memory 
to a third party via spoofing victim's IP address" 
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import memcache 


m = memcache.Client([ 
‘reflector.example.com:11211’ 


ID 


m.setC’a’, value) 


— to inject a value of an 


arbitrary size under key "a" 


print *\Q@\x@1\0\Q@\@\x@1\0\@gets a\r\n’ 


— to retrieve a value 


print ’\0\x01\0\0\0\x01\0\0gets o a a a a\r\n’ 


— to retrieve a value 5 times 


print ’\0\x01\0\0\0\x01\0\0gets o a a a a\r\n’ 


— to retrieve a value 5 times. 


Or 10 times. 
Or a hundred. 
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Default memcached conf. in Red Hat 


e memcached listens on all network interfaces 
e both TCP and UDP transports are enabled 
* no authentication is required to access Memcached 


e the service has to be manually enabled or started 


e the default firewall configuration 
does not allow remote access to Memcached 


e Also Zimbra, etc. & 
QRATORLABS 


Amplification factor 


* Typical amplification factor used to be hundreds 
e For memcached, it's millions, and no fixed source port 
e Amplification isnt something to underestimate 


B NTP 
m CharGEN 
m QotD 


m RIPv1 
m Quake 
mM = m LDAP 
20 D ei 


Source: https://www.us-cert.gov/ncas/alerts/TA14-017A 


ipv4 access-list exploitable-ports 
permit udp any eq 11211 any 
| 


ipv6 access-list exploitable-ports-v6 
permit udp any eq 11211 any 
| 


class-map match-any exploitable-ports 
match access-group ipv4 exploitable-ports 
Ser Käsi 
policy-map ntt-external-in 
class exploitable-ports 
police rate percent 1 
conform-action transmit 
exceed-action drop 
| 


set precedence Q 


set mpls experimental topmost 0 
| 


Source: http://mailman.ninog.net/pipermail/ninog/2018-March/002697. html 


class class-default 

set mpls experimental imposition 0 
set precedence Q 

| 


end-policy-map 
| 


interface Bundle-Ether19 

description Customer: the best customer 
service-policy input ntt-external-in 
ipv4 address xxx/x 

1pv6 address yyy/y 


interface Bundle-Ether20 
service-policy input ntt-external-in 


.. etc IE 


Source: http://mailman.ninog.net/pipermail/ninog/2018-March/002697. html 


Proof of Source Address Ownership 


E.g., QUIC: 


* Initial handshake packet padded to 1280 bytes 


«Source address validation 


Attack examples 
: 12-3 


e Volumetric attacks: UDP flood, 
SYN flood, amplification... 
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loT attacks! 


e 2014: LizardStresser 


e 2015: SOHO routers 
become a persistent target 
for malvvare 

e 2016: Miral 

e 201 /: Persiral, Hajime, ... 
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Attack examples 


«| 2-3 
e Volumetric attacks: UDP flood, 
SYN flood, amplification, 
and so on (we don't need to care exactly) 


e Infrastructure attacks 
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| 2-3 mitigation 


From a victim's perspective: 
e Anycast network with enough inspection power 


e Inventory management to drop unsolicited traffic vectors 
(e.g. UDP towards an HTTP server) 


e Rate-limiting less important traffic 
* Challenges and handshakes (more on that later) 
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| 2-3 mitigation 


From a victim's perspective: 
e Anycast network with enough inspection power 


e Inventory management to drop unsolicited traffic vectors 
(e.g. UDP towards an HTTP server) 


e Rate-limiting less important traffic 
* Challenges and handshakes (more on that later) 


From an ISP's view: 
e Simple heuristics against typical attacks 


* RTBH (and let the customer take care of it themselves) & 
QRATORLABS 


Attack examples 


«| 2-3 
e Volumetric attacks: UDP flood, 
SYN flood, amplification, 
and so on (we don't need to care exactly) 


e Infrastructure attacks 
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Attack examples 


* [4-6 


e SYN flood, TCP connection flood, 


Sockstress, and so on 
e TLS attacks 
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Attack examples 


d B EC 
e Volumetric attacks: UDP flood, 
SYN flood, amplification, 
and so on (we don't need to care exactly) 


e Infrastructure attacks 


el 4-6 
e SYN flood, TCP connection flood, 
Sockstress, and so on An attack can affect 
e TLS attacks multiple layers at once 
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Combined attacks 


e Say, NTP amplification and SYN flood at the same time. 


* The idea is to divert attention of people 
who are in charge of mitigation 
and to prevent them from focusing on the real threat 
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//util strcpy(buf + util strlen(buf), "POST /cdn-cgi/l/chk captcha 


util strcpy(buf + 
rand alphastr(buf 
util strcpy(buf + 
util strcpy(buf + 
util strcpy(buf + 
util strcpy(buf + 
util strcpy(buf + 


21:30:01.226868 IP 94.251.116.51 > 178.248.233.141: 
GREvO, length 544: 
IP 184.224 .242.144.65323 > 167.42.221.164.80: 


UDP, 


length 512 


21:30:01.226873 IP 26.227,212.111 > 178.248.233.141: 
GREv0, length 544: 
LE 90.185.119.106.50021 > 179.57.238.88.80: 


UDP, 


length 512 


21:30:01.226881 IP 46.59.29.150 > 178.248.233.141: 
GREv0, length 544: 
IP 31.173.79.118.42580 > 115.108.7.79.80: 


UDP, 


length 512 


util_strlen(buf), 


"POST /cdn-cgi/"); 


+ util_strlen(buf), 16); 


util_strlen(buf), 
util_strlen(buf), 
util_strlen(buf), 
util_strlen(buf), 
util_strlen(buf), 


" HTTP/1.1\r\nUser-Agent: "); 
conn-»user agent); 

"\r\nHost: "); 

conn-»domain); 

"\r\n"); 
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L4+ mitigation 


e SYN flood: 3-way handshake-based SYN cookies & SYN proxy, 
allowing a victim to verify the source IP address 
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Traffic filtering node Server 


L4+ mitigation 


e SYN flood: 3-way handshake-based SYN cookies & SYN proxy, 
allowing a victim to verify the source IP address 


* Other packet-based flood: other handshakes and challenges 
to do the same 


e The rest: session analysis, heuristics and blocklists 
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A True Story 


* An enterprise got ~40 Gbps of DNS amplification 


* Decided it's a good idea to parse the source IP addresses 
of reflectors and populate a blocklist 
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A True Story 


* An enterprise got ~40 Gbps of DNS amplification 


* Decided it's a good idea to parse the source IP addresses 
of reflectors and populate a blocklist 


e 2 hours after, the attacker started enumerating IPv4 0/0 
within empty packets' sources (with source UDP port 53) 


e Started with most popular ISP access prefixes 
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A True Story 


* An enterprise got ~40 Gbps of DNS amplification 


* Decided it's a good idea to parse the source IP addresses 
of reflectors and populate a blocklist 


e 2 hours after, the attacker started enumerating IPv4 0/0 
within empty packets' sources (with source UDP port 53) 


e Started with most popular ISP access prefixes 
e 8 hours later, nothing is working, ^1 bln IPv4 in blocklist 
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L4+ mitigation 


e SYN flood: 3-way handshake-based SYN cookies & SYN proxy, 
allowing a victim to verify the source IP address 


* Other packet-based flood: other handshakes and challenges 
to do the same 


e The rest: session analysis, heuristics and blocklists 
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L4+ mitigation 


e SYN flood: 3-way handshake-based SYN cookies & SYN proxy, 
allowing a victim to verify the source IP address 


* Other packet-based flood: other handshakes and challenges 
to do the same 


e The rest: session analysis, heuristics and blocklists 


e It is dangerous to use blocklists or allowlists 
without source IP address verification! 


e Do not forget about inventory management! 
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L4+ mitigation 


e L2-L4 attacks might target not only servers, 
but client networks as well 


* Real world scenarios: 
e Gaming and betting: altering the results of an online tournament 


* Altering results of online exams to prevent competing students from 
collecting good marks 


e Stocks and auctions 
e https; //WWw.Vv3.co.uk/v3-uk/news/247841 1/ec-offices-taken-offline-by- 
large-scale-ddos-attack 
* Defense is basically the same 


e Scalability is a problem though 
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L4+ mitigation 


e Its wrong to believe L4 is only TCP 
(though, yes, UDP doesn't matter a lot) 


* New transport protocols are implemented 
* By vendors 
* By applications 
e By IETF 


e End-user servers? 
e End-user backoffice? 
e Transit and ISPs? 
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Blocking known attack sources 


e Also known as: 


Tm not expecting Spanish-inguisition Chinese customers, 


why dont we just deny access to the Chinese IPs?" 
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Network Redlining 


Why is it a bad idea? Here are a few reasons: 


e GeolP databases are unofficial and unreliable 
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MaxMind GeoIP database 


GeolP2 City Database Demo 


IP Addresses 
8.8.8.8 


Enter up to 25 IP addresses separated by spaces or commas. You can also test 
your own IP address. 


GeolP2 City Results 


IP Country Postal Approximate Accuracy Metr 
Address Code Location Code  Coordinates* Radius ISP Organization Domain Cod 
8.8.8.8 US United 37.751, 1000 Google Google 

States, -97.822 

North 


America 


= 37.751, -97.822 X 


Map data ©2018 Google Terms  2kmi. 1 | i ha 


ANYCAST DNS SERVER 


WENT UNDERWATER 


AND STILL 


NO ARRESTS? 


GEOIP DATABASE? 


MaxMind GeoIP database 


GeolP2 City Database Demo 


IP Addresses 
8.8.8.8 


Enter up to 25 IP addresses separated by spaces or commas. You can also test 
your own IP address. 


Sorry, this is wrong! 


GeolP2 City Results 


IP Country Postal Approximate Accuracy Metr 
Address Code Location Code  Coordinates* Radius ISP Organization Domain Cod 
8.8.8.8 US United 37.751. 1000 Google Google 

States, -97.822 

North 


America 


MaxMind GeoIP database 


Has its “owner location vs actual location" dilemma. 
Generally unreliable for anything except statistics. 


e https; //stackoverflow.com/questions/22986794/continuouslv- 
decreasing-accuracy-of-maxmind-geolite-city 
e https //www.techdirt.com/articles/20160413/12012834171/ho 
w-bad-are-geolocation-tools-really-really-bad.shtml 
e https; //splinternews.com/how-an-internet-mapping-alitch- 
turned-a-random-kansas-t- 1793856052 
Cb on s 


MaxMind GeoIP database 


Has its “owner location vs actual location" dilemma. 
Generally unreliable for anything except statistics. 


e There's no geography on the Internet, just network topology. 


* [here are no countries, 
just autonomous systems and their relations. 


CB osos | ABS 


Network Redlining 


Why is it a bad idea? Here are a few reasons: 


e GeolP databases are unofficial and unreliable 
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Network Redlining 


Why is it a bad idea? Here are a few reasons: 


e GeolP databases are unofficial and unreliable 
e IP addresses get sold and bought 


e Some IP networks are being used 
far from the original RIR 


e Anycast 
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Network Redlining 


e GeolP databases are unofficial and unreliable 
e IP addresses get sold and bought 


e Some IP networks are being used 
far from the original RIR 


e Anycast 


Some of the above might be better with IPv6. 
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IPv6 Issues 


e 128-bit IP addresses 
e Possible: to address each atom on the Earth surface 
* Impossible: to store a large number of entries in memory 


e About 10 years ago, blocking whole IPv4 networks 
was already considered a bad practice 


e With IPv6, this method has no other way than to return 
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Attack examples 


* [4-6 


e SYN flood, TCP connection flood, 


Sockstress, and so on 
e TLS attacks 
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Attack examples 


e | 2-3 
e Volumetric attacks: UDP flood, 
SYN flood, amplification, 
and so on (we don't need to care exactly) 


e Infrastructure attacks 
e | 4-6 
e SYN flood, TCP connection flood, 
Sockstress, and so on 
e TLS attacks 
el / 
* Application-specific flood Cb on s 


Wordpress Pingback 


G ET /what ever — Input — Passed  — Output 

User-Agent: WordPress/3.9.2; È 
http://example.com/; | | 
verifying pingback "Input: 594 Gbps. 
from 192.0.2.150 e Output: Mbps 


e Passed: Mbps 


Traffic, bps 
> 
C 


N 
e 


«150 000 - 170 000 
vulnerable servers 
at once 


e SSL/TLS-enabled 


Q 
14:40 14:50 15:00 15:10 


0G 


Data from Qrator monitoring engine 


Another example of a L7 attack: FBS 


* A bot can actually be more clever than a Wordpress machine 


e Advanced botnets are capable of using a headless browser 
(IE/Edge or Chrome) 
-» "full browser stack" (FBS) botnets 


e A FBS-enabled bot is able to go through even complex 
challenges, like Javascript code execution 
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Another example of a L7 attack: FBS 


CAPTCHA is a weapon of last resort against FBS, 
when we speak of active countermeasures. 


Pros: 
* Easy to implement 
* Generally, might work 
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CAPICHA 


Cons (1/3): 
* Requires UX injection, may break UX 
e Breaks mobile applications 
e Sometimes harder for humans than for robots 


Sih 2 
Reply © 


[Type the two words Privacy & Terms 


fe 


CAPICHA 


Cons (2/3): 
* Requires UX injection, may break UX 
e Breaks mobile applications 
e Sometimes harder for humans than for robots 
* Not all bots are malicious, and not all humans are innocent 
* CAPTCHA proxies and farms, like http://antigate.com/ 


* Malware is able to inject CAPTCHA into pages 
user of the infected computer is looking at 
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CAPTCHA 


Cons (3/3): 
* Requires UX injection, may break UX 
e Breaks mobile applications 
e Sometimes harder for humans than for robots 
e Not all bots are malicious, and not all humans are innocent 
e CAPTCHA proxies and farms, like http://antigate.com/ 


* Malware is able to inject CAPTCHA into pages 
user of the infected computer is looking at 


* OCR tools evolve fast 
* Voice recognition evolves even faster 


e "Security by obscurity”: an open-sourced CAPTCHA is (relatively) easy 
to break using open source machine learning tools. 
| ANM 


Another example of a L7 attack: FBS 


Under most conditions, unlike Wordpress pingback, 
such attacks won't cause a link degradation, 
hence generally out of scope of a network operator s responsibility 
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Another example of a L7 attack: DNS 


e DNS is built on top of UDP*, 
and a DNS request fits in a packet 


* [he structure of a DNS query is simple 
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DNS lookup 


10:00:34.510826 IP 
Cproto UDP (17), length 56) 
192.168.1.5.63097 > 8.8.8.8.53: 
9508+ 
A? facebook.com. 
(30) 


10:00:34.588632 IP 
(proto UDP (17), length 72) 
8.8.8.8.53 > 192.168.1.5.63097: 
9508 1/0/20 
facebook.com. A 31.13.72.36 


(45) 


DNS lookup 


* DNS is built on top of UDP*, and a DNS request fits in a packet 
* [he structure of a DNS query is simple 


* An attacker capable of generating spoofed queries 
will make a userspace DNS application process 
all those fake requests, 
rendering a DNS server unavailable L 7-wise. 
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DNS lookup 


* An attacker capable of generating spoofed queries 
will make an userspace DNS application process 
all those fake requests, 


rendering a DNS server unavailable, this time L /-vvise. 
e ‘Water torture" 


* [his is what happened 
In October 201 6 with Dyn. NEWS REVIEWS HOW-TO VIDEO BUSINESS LAPTOPS TABLETS PHONES HARD 


Home / Internet 


Major DDoS attack on Dyn DNS 
knocks Spotify, Twitter, Github, 
PayPal, and more offline 


The sound of silence. 


DNS lookup 


* An attacker capable of generating spoofed queries 
will make an userspace DNS application process 
all those fake requests, 
rendering a DNS server unavailable, this time L /-vvise. 


e Luckily, DNS protocol allows switching to TCP, 
and in TCP, we have a handshake to verify the source IP address, 
hence, blocklists apply. 


e Once again, though, enough bandwidth and inspection power 


is required 
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DNS lookup 


e Luckily, DNS protocol allows switching to TCP, 
and in TCP, we have a handshake to verify the source IP address, 
hence, blocklists apply. 


e Unfortunately, other UDP-based protocols (e.g. gaming) 
are mostly built without DDoS mitigation in mind 
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| / mitigation 
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| / mitigation 


COMPLICATED 
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| / mitigation 


COMPLICATED 


e Active: 
e HT TP/JS challenges 
e CAPTCHA 
e Passive: 
e Application session analysis 
* Big Data 
* Correlation, machine learning 
* Monitoring, incident response 
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False P/N 


* Everything learning-based is not strict 


* A false positive: the algorithm shows a match 
when there's no match 


* A false negative: the algorithm shows no match 
when there s a match 


* Basically, any algorithm may be tuned to either 0% FP or 0% FN 
e The truth is somewhere in between 
* [he balance is defined by the purpose 
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Attack examples 


ele 
* Volumetric attacks: UDP flood, 
SYN flood, amplification, 
and so on (we don't need to care exactly) 


e Infrastructure attacks 


e | 4-6 FIR TP 
e SYN flood, TCP connection flood, a Vos m 
Sockstress, and so on e Mutually exclusive * 
: TLS attacks * Collectively exhaustive 
«| 7 


* Application-based flood 
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However 


The Internet is a complex thing. 
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A decades old job interview quiz 


e What happens when you type www.google.com in your browser?” 


e https://github.com/alex/what-happens-when: 
Table of Contents 


e The "g" key is pressed 

e The "enter" key bottoms out 

e Interrupt fires [NOT for USB keyboards] 

e (On Windows) A WM_KEYDOWN message is sent to the app 


e (On OS X) A KeyDown NSEvent is sent to the app 
e (On GNU/Linux) the Xorg server listens for keycodes P 
QRATOR! ABS 


"What happens vvhen... "7 


e DNS lookup 

* Opening of a socket 
e TLS handshake 

e HTTP protocol 


e HTTP Server Request Handle 
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"What happens vvhen... "7 


e DNS lookup 

e IPv4/IPv6 selection 

* Opening of a socket 

* Deep packet inspection 

e TLS handshake 

e CRL/OCSP 

e HTTP protocol 

e | oad balancer 

e HTTP Server Request Handle 
e CDN 


CB osos LABS 


"What happens vvhen... "7 


* DNS lookup e As the Dyn incident shows: 
e |Pv4/IPv6 selection an application server could 
* Opening of a socket not only be a direct target of 
* Deep packet inspection a DDoS attack 

: TLS handshake e Each step could suffer from 
e CRL/OCSP an attack, L2-L7-wise 


e HTTP protocol 
* | oad balancer 
- HTTP Server Request Handle * Inventory management 


e CDN e Infrastructure monitoring 


Architectural view 


e Security is not a product, not an appliance, its a process 


* Ability of a DDoS mitigation must be built 
into the design of any protocol 


* A concerned company must follow policies: 
e Updates 
* Risk management 
* Incident handling 
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Risk management for an ISP/DC/cloud 


e A network operator will basically suffer only 
from bandwidth-consuming attacks 
e Sometimes, cloud adds CPU/memory costs 


* However, an attacker will most likely use just the tool 
they have at their disposal: 
amplifier or a botnet, doesn't matter 


e Thus, the probability of an attack towards the network 
is the aggregate probability of an attack for each customer 


in the network 
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Risk management for a customer 


* The rest of it! 
e It's important to stay aware of PR activities, marketing initiatives, 
and news 


* Even more important: to choose a solution, given all the layers 
and risks 
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What's next? 


e memcached: 
e Disclosure in November 2017 
e In the wild: February 2018 


e Three months are an overly short interval 
* Next time, it might be even shorter 


e Meltdown/Spectre show: the embargo approach 
doesnt work well for a community large enough 


What's next? 


e The problem is not Internet of Things only, 
its the overall insecurity, operational failures, 
and ignorance of some Internet community 
members. 


e Sounds like we've found the root cause... 
yet, it wont go away anytime soon. 
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What's next? 


e Collaboration 
* Proper and timely reaction 
e Reach out to your CERT/CSIRT 


(you do have one, right?) 


for advisory. 
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